Monitoring + securing containers + microservices.

How 6 of the world’s largest companies use Kub + Sysdig.

Decode Your HTTP Traffic with sysdig

Sysdig goes application aware! Recently we’ve been adding little useful features to sysdig at a good pace, and one that is worth mentioning is HTTP decoding.

Starting with sysdig 0.1.103, we have added two chisels, httplog and httptop, which provide insights into all HTTP traffic flowing on your server. They list the requests sent and received, and they can be used to find out what’s exactly hitting a web server. This blog post presents them and show a couple of usage tricks to get the best out of them.

But first, let’s take a step back and talk about echoing network connections in sysdig.

The Old Way: The echo_fds Chisel

For quite a bit of time, sysdig has offered a chisel to inspect the activity of a given set of file descriptors. It’s called echo_fds, and you can easily use it to troubleshoot network connections using the appropriate filter, for example:

Echo_fds has the nice benefit of being able to display network connections established by any container. And, of course, its functionality is nicely integrated into the csysdig curses interface.

The New Way: the httplog and httptop Chisels

Httplog and httptop go one step further by implementing some basic decoding of the raw data that echo_fds shows. In particular, if the connection is carrying HTTP data, they extract information like the URL and the response time. You can think about this as a simple version of ngxtop, but web server agnostic and able to see inside containers. Httplog will print information about every request, in a way similar to a log:

Filtering Fun

As usual, leveraging sysdig’s filtering engine in conjunction to chisels can make your experience more fun and rewarding.

For example, you can observe the web requests of a particular container:

# sysdig -pc -c httplog container.name=wordpress

or the ones of that were not served by an expected process:

# sysdig -pc -c httplog “process.name!=httpd”

or that are coming from a specific client:

# sysdig -pc -c httplog fd.cip=192.168.0.1

Wrapping Up

The httplog and httptop chisels expand sysdig’s swiss army knife capabilities, and are great to keep an eye on your containerized web servers. And if you need this functionality (and much more!) but for all the machines and containers in your infrastructure, try Sysdig Cloud for free for 14 days.